Turning on and logging into a Microsoft Windows-based PC is a much quicker and more streamlined process than it used to be.
Years ago, it usually entailed sitting through a lengthy startup operation and then needing to key in a complicated password just to gain access to the system. Forgetting the right login credentials was naturally a major setback, requiring either an administrator-initiated reset for a domain account, or the use of a password hint or a reset disk stored on a USB flash drive.
The use of non-local Microsoft accounts, with straightforward reset mechanisms, as login accounts for Windows 10 devices has made life a bit easier. Plus, the replacement of hard-disk drives with solid-state drives has greatly sped up the overall startup process. But the password bottleneck is still there.
Password-based security puts a burden on both end-users and IT admins:
- Users have to remember and enter complex and unique passwords that meet minimum requirements for length, use of special characters and exclusion of their account names.
- Admins have to configure the appropriate password settings and perform frequent resets. Gartner has estimated that between 20% and 50% of all help desk calls are for password resets.
In this context, Windows Hello for Business and its consumer-oriented counterpart Windows Hello provide immense relief.
Windows Hello for Business versus Windows Hello, explained
These two solutions implement strong second-factor authentication (2FA, or MFA for multi-factor authentication), via options such as biometrics and local PINs that replace traditional passwords during the login process; learn more about 2FA/MFA in our blog on this topic. As such, they both provide an ideal combination of convenience and security, with greater usability and stronger protection than text-based passwords could ever offer.
However, despite their almost identical names, the two are quite different from each other. Windows Hello is relatively simple and uses biometrics, namely fingerprint reading, iris scanning and facial recognition, using a device’s integrated camera or fingerprint reader, or compatible external hardware. Although Windows Hello for Business can leverage biometrics as well, it has a more complex architecture that uses asymmetric key pairs together with device PINs. We’ll discuss some of the technical details of how this works later, to show how it surpasses traditional password security.
All of this added complexity also allows it to support a much broader, more enterprise-centric set of features. Devices fully configured for Windows Hello for Business can use it to sign into an Active Directory, Azure Active Directory or Microsoft account. Support for third-party identity providers that adhere to the FIDO2 standard was in progress as of October 2019. The Kensington VeriMark IT Fingerprint Key also supports FIDO2 within the confines of a Microsoft environment.
Plus, Windows Hello for Business devices can take advantage of single sign-on (SSO) or, with certificate-based PINs, enjoy remote access through a VPN without the need for additional multifactor authentication with phone verification. Those are both pivotal benefits for today’s increasingly remote workforces, which require streamlined access to multiple critical apps and services without needing to jump through the hoops of complex passwords and drawn-out reset requests.
Overall, Windows Hello for Business incorporates its sophisticated functionality into an intuitive and uncomplicated experience for end users, not to mention a more manageable security architecture for IT admins. Let’s look at how it works on a technical level and why it’s preferable to passwords.
How Windows Hello for Business works and why it's better than passwords
At its core, Windows Hello for Business provides a new, non-password credential for Windows 10 devices. It implements 2FA/MFA, meaning multilayered security that is much more difficult to bypass than protection that hinges solely on a correct username and password combination.
A desktop or mobile device that is secured only with that type of single-factor authentication is vulnerable if its login information is ever stolen or successfully guessed, allowing for unauthorized access and possible data exfiltration. Single-factor accounts are particularly at risk from phishing attacks that attempt to harvest logins via email.
According to PhishMe research, over 90% of data breaches begin with a spear-phishing email. Phishing has grown more sophisticated over time, in some cases using real-looking login pages that are actually malicious sites. In addition to phishing, passwords are also vulnerable to other threats such as replay attacks or any campaign that could potentially expose credentials stored on a server.
With strong 2FA through Windows Hello for Business, these particular risks don’t apply. Authenticating into a targeted user’s account would require more than just possessing their physical device and its private key (strong credential). Any attacker would also need to know either the specific PIN or have the biometric credential associated with it, to access that same key. A model Windows Hello for Business implementation has multilayered defenses, each of which is difficult for any unauthorized user to bypass.
The device itself
Windows Hello for Business’s strong credentials are bound to particular devices, with private keys or certificates. It may use either an enterprise’s public key infrastructure (PKI) or certificate-based authentication for trust. Which one is preferable will depend on whether an organization wants to issue end-entity certificates to its users and what specific version of Windows Server Domain Controllers it has in place. Certificate-oriented deployments are similar to smart cards/virtual smart cards in that they have managed expirations and renewals.
Exploring all the possible implementation options is beyond our scope, so let’s examine just one in more depth. For a hardware-oriented setup with PKI, Windows Hello for Business will draw upon the unique, tamper-proof trusted platform module (TPM) chip contained in the device to generate and protect the private key. Since the TPM chip is a dedicated cryptographic hardware element integrated into a PC or mobile device’s motherboard, the private key never leaves the device. Likewise, fingerprint profiles in VeriMark solutions are stored in a TPM.
Meanwhile, a Windows Hello for Business public key is mapped to the device by the authentication server, which may use Active Directory, Azure Active Directory or a Microsoft account as its identity provider. The resulting user key (i.e., the TPM-protected private key on an enrolled device, and the server-registered public key) is one factor in Windows Hello for Business’s strong second-factor authentication structure.
The pairing of the two keys authenticates the user into their account, but only after they have provided something else to prove they are the trusted possessor of the private key, namely a PIN or biometric credential. The total combination ensures that each login includes something the user has (the device/private key), knows (the PIN), and/or is (biometrics).
At first glance, it might seem like a Windows Hello for Business PIN is just a password by another name, since it’s textual and must be remembered. But they’re nothing alike in practice.
For starters, a PIN is tied to a specific device. Even if someone knows the PIN, they would need the hardware it corresponds to as well. That’s not the case with passwords, which can be used for logging in from virtually anywhere regardless of device.
The PIN is also stored locally and never reaches a remote server. As a result, there is no prospect of a massive data breach that would expose the PIN. A correct PIN simply unlocks the private key that signs the request to the authentication server.
For devices with TPM chips, built-in anti-hammering measures prevent brute-force guessing of even simple PINs, were the device to be lost or stolen. A series of incorrect guesses will lock the device, rendering the private key inaccessible.
Admins may also set complexity requirements for PINs within Microsoft Intune, as with passwords. The PIN is required even if biometric sign-in is preferred, since it provides recourse if the fingerprint reader or other specialized technology isn’t working or is otherwise unavailable.
Biometric authentication provides the most convenient and secure second factor for Windows Hello for Business. A user provides a fingerprint or face/iris scan as the primary gesture for accessing their device-specific credentials, while the PIN serves as a required backup option.
Using Windows Hello for Business compliant biometric devices is beneficial for multiple reasons:
- Someone’s fingerprint or face shape is difficult to steal or spoof in any reliable fashion, as it is unique to each individual.
- Logging in with biometrics is very streamlined, requiring only a quick glance or placement of the finger.
- The biometric data itself is stored only on the local device and never transmitted to a server, thereby avoiding the creation of a remotely accessible and breachable credential repository.
Additionally, there is flexibility in what types of hardware can be used to implement biometrics in Windows Hello for Business. Important features to consider include false acceptance and false rejection rates for the biometric login.
The Kensington VeriMark IT Fingerprint Key has rates that far exceed the minimum requirements for Windows Hello-compliant solutions. Its Match-in-Sensor technology, compatibility with FIDO2 passwordless authentication standards and compact design also make it highly reliable and portable in multiple possible contexts. VeriMark solutions are tightly aligned with Windows Hello for Business and are crucial components in implementing the platform in an enterprise context.
Additional benefits from Windows Hello for Business
Beyond its considerable advantages over password-based authentication, Windows Hello for Business is also appealing because of its broad compatibility with existing enterprise infrastructures and functions.
Flexible on-prem, cloud and hybrid options
Enterprises may deploy Windows for Business on-premises, in the cloud, or in a hybrid deployment that blends the two. The implementation type will affect the usable identity providers and what types of additional factors can be used for 2FA/MFA during the initial provisioning of the strong credential.
Cloud and hybrid deployments will use Azure Active Directory while an on-prem one will rely on a Windows Server 2016 Active Directory Federation Services. Also, cloud and hybrid implementations of Windows Hello for Business can accept a broader range of additional factors during strong credential setup, to ensure that the private key is issued to a device in the possession of a trusted user.
Certificates and customizable Microsoft Intune configurations
We mentioned certificate-based forms of Windows Hello for Business earlier. These are similar to existing smart card or virtual smart card scenarios and can be managed through Microsoft Intune.
Within Intune, it’s also possible to create an organization-wide policy during device enrollment. Admins can set specifications such as PIN and biometrics requirements and decide whether to require enrolled devices to have TPM chips onboard.
SSO and remote access for Windows Hello for Business devices
Because Windows Hello for Business can authenticate someone into an Active Directory or Azure Active Directory account, it also has support for SSO. Through SSO, users can sign into multiple services with a common set of credentials and not have to reenter them on a per-application basis.
Certificate-based Windows Hello for Business is also fully compatible with the Windows 10 VPN Client. Once the correct biometric gesture or PIN is supplied, the VPN uses the certificate to authenticate the user’s connection.
A reduced security burden on IT
Windows Hello for Business replaces passwords in every common situation except for the initial one-time provisioning of its strong credentials. That means IT doesn’t have to sink so much time into resetting users’ passwords and verifying their identities.
Every moment the help desk spends on password resets is one it can’t devote to more strategic projects. Windows Hello for Business is not only more secure than password reliance, but more scalable, sustainable and cost-effective, too.
How to get started with Windows Hello for Business
Microsoft has published a useful guide on how to begin planning a Windows Hello for Business deployment. As you get further into the details, it’s time to think about what modes of biometric authentication you want to incorporate into your implementation.
Kensington biometric solutions like the new VeriMark IT Fingerprint Key support Windows Hello for Business and can be used to support its strong second-factor authentication. Learn more on our biometrics page or download the eBook Moving Past the Password with VeriMark and VeriMark IT.